Security oversight in some apps could leave you vulnerable to hacking, data theft

A simple oversight in some apps’ implementation of SSL could leave millions of users vulnerable to man-in-the-middle attacks, opening the door for malicious hackers to obtain sensitive user data

Usually when sensitive information is being transferred over a network, the application will open an encrypted connection with the server using SSL (Secure Sockets Layer). iOS ships with a list of Certificate Authorities whose SSL certificates should be trusted, helping to ensure traffic is only sent to trusted servers and not intercepted by a malicious third party using their own self-signed SSL certificate.

Unfortunately, a number of applications have been found to bypass the list included in iOS, and instead accept an SSL certificate issued by anybody. This means that, combined with another attack called ARP (Address Resolution Protocol) poisoning, an attacker on the same network as a user can view all of the traffic going to and from a given app and potentially obtain such sensitive details as passwords, bank account numbers, or even credit card information.

The good news is that a few of the companies who were notified that their apps had this problem responded promptly. E*TRADE has already released a partial fix, and have a more complete fix on the way. Users of TD Ameritrade and Credit Karma should keep an eye out for updates that are in the works. Cisco is also working on a fix for their WebEx app, and Cisco customers can view the bug details (login required).

Sadly, not all companies were as responsive. Users who recently dropped Instagram over their terms & conditions fiasco may be disappointed to learn that Flickr was among the applications found to be affected, but has no timeline for when a fix will be available. Similarly, Monster was unable to say when or if a fix might be released.

If you’re using H&R Block or Fandango you’re also out of luck for now; neither of them responded to emails about the issue. Users of Fandango should be particularly cautious about buying tickets within the app, as their credit card details will be transmitted and left vulnerable.

As if it weren’t enough to worry about what apps on your own devices are sending, the problem doesn’t end there. Payment system software Lavu Lite and EVERPay Mobile POS share this security issue. Lavu Lite has already released an update to fix it that merchants should be sure to go grab. And remember when Verifone accused Square of being insecure? One of Verifone’s own mobile payment apps, PAYware, has this vulnerability as well, though none of Square’s apps do. Verifone did not respond when contacted.

It’s important to stay mindful of who you’re trusting with your data. Incidents like this serve as a good reminder of why it’s important to remain vigilant about personal security practices. Using unique passwords for all of your accounts with an app like 1Password, and having a VPN service like Cloak available are a couple of things users can do to help protect themselves from things like this.

For more detailed technical information on this SSL issue and how to identify it in other apps, see the companion post on neglectedpotential.com

Reader comments

Security oversight in some apps could leave you vulnerable to hacking, data theft

Why is it that the secuirty of the phone is left to the developer that may or may not suscribe to the proper SSL? I don't pretend to understand cyber security in the slightest, but this seems like a bit of a gaping hole. I thought iPhones were catching up to Android on the security front.

Apple has always been more secure than Android, which is part of why it has less features (like no interapp communications, no side-loading, etc.).

This looks like developers, for whatever reason, going out of their way to do things differently, and causing problems because of it. (Nick explains it properly, hit the link to his follow-up article above.)

Just to be clear, the issue with the apps above is not that they lack certificate pinning. The issue is they're not listening to SSL warnings from the OS. Rather than only allowing certificates issued by a trusted CA, they allow certificates issued by anybody.